Horus Scenario

What is it?

The Horus scenario, is a scenario describing a large scale cyber attack targeting the vital electrical infrastructure my hacking PV-installations. This scenario was both theoretically and practically proven to exist during the thesis of Willem Westerhof in 2017 and later confirmed by other independent researchers.

Why is it called Horus scenario?

Horus is an ancient Egyptian god, refered to in many different ways, which is in most cases related to the heavens or the sun. In mythology, one of his eyes stands for the sun, the other one of his eyes stands for the moon. The Horus scenario focuses on a cyber attack on PhotoVoltaic-installations (solar energy systems) and “recreates” the impact that a Solar eclipse has on the stability of the power grid, hence the reference to the old god.

What does this mean?

In essence, this means that a scenario was theorized and then proven where a malicious hacker targets the electrical grid by focusing on PV-installations and succeeds in causing large scale (Nation-wide or even continental) power outages. If this attack is ever truly executed in the wild, it is expected to cost billions of euros and have a direct and severe (sometimes fatal) impact on everybody’s lives. The impact of such an attack is most likely worse or at least comparable to what happened during the iberian peninsula blackout in 2025.

 

Balance in the power grid

The power grid needs to maintain a constant balance, between supply of power, and demand of power. If supply exceeds demand, or demand exceeds supply, outages can occur. In order to maintain stability all sorts of countermeasures exist to prevent outages due to peaks or dips in demand or supply. Under normal circumstances, these countermeasures ensure grid stability. There is however a limit to these countermeasures. A maximum peak or dip value in a specific period of time. If an attacker is capable to go beyond this maximum peak or dip value, outages will occur.

Intertwined grids

The thing with power grids, at least in Europe, is that they are very intertwined. Nations are constantly exporting and importing power to each other, and power grid regulators have made agreements to help each other during crisis times. Because of this intertwinedness an attack or failure of any part of the power grid, automatically has effects in other intertwined power grids as well.

PV Installations

PV installations influence the balance of the power grid in two ways. They supply power directly to local appliances (lessening the demand) and any excess power is supplied to the grid (increasing the supply). An attacker capable of controlling the flow of power from these devices can therefore have a direct effect on the balance of the Power grid.

Scale is key

A hacker controlling a single device of course isn’t much of a problem. The available countermeasures for grid stability will easily protect us from such an attack. Hacking these devices becomes a problem when done at a large scale. Since more and more of these PV installations are being connected to the internet, cloud environments or the local network, to provide the user with certain functionalities, they can be targeted easily and remotely, by hackers.

In Europe there is over 350 GW of PV power installed (2025) and this will ramp up to ~750GW in 2030. An attacker capable of controlling the flow of power from a large number of these devices could therefore cause peaks or dips of 10+ GigaWatts causing massive balancing issues which can lead to large scale power outages.

 

Showing evidence

In order to proof that this scenario is possible, two methods were used. A statistical method, and a comparison to the 2015 solar eclipse. In addition other researchers have shown that several <1 GW attacks are also possible.

Statistical method

Using a mathematical model it is possible to estimate the amount of PV energy in a power grid at a given time. Based on this model as well as official sources it was determined that an attack like this is statistically possible. For example, the German power grid can (at peak sunshine times in 2025) cover 50% up to 60% of its power demand using only PV installations. A cyberattack in this grid at the right time could take out up to 60% of the nation’s power supply. Almost instantly causing a very large (nation-wide, up to continental due to the intertwined power grids) power outage.

Sadly, it is impossible to determine exact numbers on the threshold values (though several trustworthy sources indicate a range of 3-5 GW). That said, it cannot realistically be expected of a nation like Germany to lose 50 up to 60% (30+GW) of its power supply instantly and not see a power outage. It is simply too costly for power regulators to have that amount of power balancing on standby at all times. It may even be impossible, to have that kind of reserves trigger instantly as traditional power plants take more time to increase and decrease their overall power output when compared to PV-installations.

Comparison to solar eclipse

Another way of estimating the impact of such a cyber attack, is by comparing it to the 2015 solar eclipse. This solar eclipse happened in the morning when the sun was shining and affected almost all PV-installations in Europe (some more than others). Effectively, the solar eclipse controlled the flow of power from these devices (less sun equals less power from those devices, more sun equals more power from those devices).

The Solar eclipse event was a 2-3 hour long event the power grid regulators were well prepared for. Large solar fields had been temporarily shut off, additional reserves and regulation materials were available, an exact plan of when to regulate in what amounts was calculated based on the expected solar eclipse pattern, extra manpower was available, etc. The power grid stayed balanced that day, due to the effort of all these regulation parties. Had they done nothing, the power grid would have failed without a doubt.

When we compare this to the potential cyber attack it looks very grim. This cyber attack will not take 2-3 hours but +/- a minute. The speed of the peaks and dips will be very hard, if not impossible, to deal with. Besides that, the cyber attack is not something they are prepared for, the additional reserves and regulations are not in place, no extra manpower is present, and no exact plan exists. Another critical point, is that the solar eclipse happened in the morning as the sun was rising. The cyber attack will likely take place in the middle of the day when the sun shines brightest or when the grid is already under extreme stress, increasing the impact of controlling the flow of these devices. Then finally, the solar eclipse follows a perfect logical pattern. A cyber attack can follow any pattern the attacker creates. This may in fact be random, or shifting between on and off very fast. For example causing several GW swings per minute. It becomes nearly impossible for power grid regulators to deal with this as it follows no expected pattern and the attacker is capable of controlling the flow faster than the grid regulators. The below shown graph is an example, but the pattern may very well be much more random, with far more peaks and dips than shown below.

Based on this comparison it can be concluded that the cyber attack is far worse. Any power grid with a lot of PV power in it will be affected heavily. Due to the intertwinedness of power grids, large scale power failures can, and should, be expected.

Based on both the statistical information and the comparison to a real life scenario it can be concluded that this type of load-altering attack is indeed theoretically possible.

Alternative <1 GW scenarios

In addition, a recent australian research paper also indicated that control of <1 GW of PV systems may already pose a major issue when a grid is under stress.

The key findings in that research paper relevant for these attacks, is that you do not necessarily need to completely drain the reserve pool, you just need to give it the final push and it’s possible to accurately predict when the grid is already in trouble.

Furthermore, it indicates that the speed at which the inbalance is caused also matters greatly. As long as you can cause an inbalance faster then others can remediate it, you can still trigger cascading failures even with <1 GW attacks.

Finally recent changes to PV-installations often allow setting sensitive and critical electricity and safety parameters using default available features (often even via cloud environments). These parameters can often be set to dangerous values, causing all sorts of electrical problems (over or under voltage, oscillations, reactive power manipulation, hindering recovery etc.), both locally and in upstream substations.

Hence the latest insights indicate that having access to even a relatively small amount of PV-installations enable an attacker to cause major issues in the grid.

Showing evidence

Proving that the Horus scenario is theoretically possible is one thing, but if no security vulnerabilities exist in PV-installations it is still practically impossible.

In 2017 A live test setup was used to discover vulnerabilities in the market leading ,and likely the most secure, brand: SMA. Devices of this brand are generally considered to be the Mercedes among PV inverters, have won several awards for outstanding solar energy products and at the time had been the market leader for several years.

In 2025 the market for PV looks vastly different. SMA is still a big player but chinese manufacturers now dominate the market. However, security wise, the market has not improved, on the contrary, critical vulnerabilities are found frequently even in manufacturer systems controlling 10+ or even 50+ GW within Europe. For an overview of recent attack, see the attack overview page.

Laws & guidelines

Several laws and guidelines exists for power supply equipment and its cyber security. For example IEC62443, IEC 62351 & ISO/IEC 27001. That said, the PV installation businesses and PV inverter suppliers are in no way obliged to actually follow these laws and guidelines. Since they are not obliged to follow these laws and guidelines it can be expected that little cyber security measures are in fact in place for the majority of PV inverter vendors.

Even in 2025, when PV installations are a significant part of our critical infrastructure, little to no laws and regulations are applicable to these devices. Those laws and regulations that are applicable (e.g. CRA) underclassify these devices and the related portals, effectively making the regulation miss the mark in solving the issue. The NIS2 law, in most cases also does not cover the specific edge case of Distributed energy PV systems. Nice write-ups of this can also be found here, here and here.

Field testing horus 1.0

In the Thesis of Willem Westerhof in 2017 a hands on black box study was done to find vulnerabilities in the test setup. Full technical details are available upon request. Findings ranging from a 0.0 CVSS3.0 (Informational) score up to a 9.0 CVSS3.0(Critical) score were discovered. These findings resulted in an attacker being able to compromise the device completely. Not only was it possible to hack the device and control its flow of power, there were actually several different ways of doing this.

In total seventeen (later spliced to twenty-one findings as requested by the vendor) vulnerabilities were discovered. Fourteen of which have been awarded a CVE-ID. Using several of these vulnerabilities it is possible to create a complete kill chain from start to finish executing the Horus scenario.

• CVE-2017-9851
• CVE-2017-9852
• CVE-2017-9853
• CVE-2017-9854
• CVE-2017-9855
• CVE-2017-9856
• CVE-2017-9857
• CVE-2017-9858
• CVE-2017-9859
• CVE-2017-9860
• CVE-2017-9861
• CVE-2017-9862
• CVE-2017-9863
• CVE-2017-9864

All these vulnerabilities were responsibly disclosed to the vendor, in December 2016. Early 2017 the theoretical concept as well as the vulnerabilities in this scenario were disclosed to specific governmental institutes and power grid regulators since they had a direct impact on the vital infrastructure.

Further field testing

Since 2017 several other researchers have also done indepedent research into this topic and proven the scenario’s to be possible in practice by exploiting PV-installations and it’s related components. An overview of the latest practical proof can be found here.

By looking at affected vendors, the amount of PV installed, and the discovered vulnerabilities in 2025 alone, It’s possible to determine that the vast majority of PV installations could have been compromised by leveraging vulnerabilities at the start of 2025. In practice, this means load-altering attacks of dozens of GW were possible and could be used to take-down almost any grid across the globe.

For europe specificaly, at the start of 2025, over 60 GW of PV-installations were vulnerable to exploitation over the internet by arbitrary attackers, (based on vulnerabilities publically released between January-2025 and early August-2025 and publically available vendor market share data). With the theory indicating that ~5 GW should be enough to down the european grid, this situation is worrying to say the least.

Sadly even more vulnerabilities will be coming out later this year, and presumably in future years as well. These will be posted seperately here.